Beruflich Dokumente
Kultur Dokumente
Norbert Klasen
Senior Consultant nklasen@novell.com
Agenda
Data Translation
Add information not present in event generated by source Lookup information in a table Collector
CSV files legacy: TRANSLATE() JavaScript: lookup() e.g. Severity, Taxonomy, descriptive names for numeric constants, DNS resolution
Mapping Service
Mappings are applied by Event Router in Collector Manager das_query distributes (delta) maps to Collector Managers Map data is cached on Collector Managers
Point in Time
Data is always injected at the time an event is processed by Sentinel No updates if a relation changes
Map Definition
Map definition
Rage support
Event Configuration
SCC Demo
Who did it? Correlate events from various systems that relate to the same person Inject identity information into events person identity accounts Account names
ID Vault (IDM) Sentinel Driver (IDM) JMS Message Bus (Sentinel) ID Vault Collector (Sentinel) Identity API (Sentinel) Identity and Account DB Tables/Views (Sentinel) AccountIdentity Mapping Table (Sentinel) Mapping Service (Sentinel)
1 0
Other Integrations
Generic Identity Collector Microsoft Active Directory (work in progress) Build your own using the SDK
1 1
Keys
1 2
Result
1 3
SCC Demo
What does this server do? Is it critical? Inject asset information into events
1 5
Asset Map
Keys
MSSPCustomerName IP
1 6
Integrations
Generic Asset Collector (CSV) Build your own using the SDK
1 7
SCC Demo
Is an attack directed at a vulnerable system Correlate attacks with vulnerabilities Load scan results into Sentinel Subscribe to Advisor feed Connect IDS
1 9
IsExploitWatchList Map
Keys
Values
2 0
Dynamic Lists
List Attributes
Action
2 2
Inlist operator
Detects users who may be at risk for having their account information stolen by the attacker that has exploited the asset, which may in turn enable the attacker to compromise other systems. Prerequisite: Advisor Put exploited asset on dynamic list Create alarm if user logs into such an asset
2 3
SCC Demo
iTrac
iTrac Definitions
Incident
Actionable condition Preconfigured step Definition of steps to be taken in response to an incident Interactive and automated actions Specific instance of a template that is used actively track an incident
Action
Template
Process
2 6
Steps
Manual Step (user interaction) Command Step (launch script) Mail Step Decision Step (branch)
2 7
ITRAC Template
Access to Exploitet Asset IdT-Affected By Exploits Creates Incident with attached workflow
Correlation Rule
2 8
SCC Demo
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.